Hackers infecting devices with malware and dragging them unwittingly into a botnet army for nefarious purposes sounds terrible enough. Unfortunately, it turns out the bad guys may have found a way to take a serious problem and make it worse.
Bad actors with smarts and an internet connection are always finding new vulnerabilities to exploit, and they have no shortage of attack surface to target.
We’re talking about Distributed Denial of Service or DDoS and, in particular, the recent discovery of a new attack method with alarming amplification rates that targets TCP middleboxes used for content filtering.
DDoS combines a large number of online devices into a botnet. It then uses this army of machines to target a specific system, attempting to overwhelm it with bogus requests or nonsense data. Unlike many cyber threats, DDoS attacks are not trying to breach a system and gain access to its contents. Instead, they try to bring down the system and make the service unavailable to real users.
There are numerous potential reasons for a DDoS attack:
- Extortion
- Hacktivism
- Cyberwarfare
- Competitive business tool
- Or a smokescreen for another attack
Whatever their purpose, they are becoming more and more prevalent, and hackers are finding new ways to amplify their effect.
What is DDoS Amplification?
During a DDoS attack, the targeted system is overwhelmed with connection requests, messages, or malformed packets it can’t dissect. All this is to slow the system down to a crawl, exhaust its bandwidth, or crash the system entirely, and deny service to legitimate users.
There are many different approaches to amplify this flood of information beyond what would be capable from a botnet alone. They all use a reflector to increase the size of the queries sent and consume more of the target’s bandwidth.
A reflector is a server accessible online that offers clients a service such as DNS, NTP, SNMP, etc. Common examples of servers unwittingly becoming reflectors for DDoS amplification include misconfigured DNS servers or public DNS servers intentionally set up to allow open recursion for clients.
DDoS amplification starts by sending the reflector what seems like legitimate queries. However, these queries contain a spoofed IP address of the attack’s intended target. Using their IP address hides the attacker’s identity and generates a query response much larger than the original request.
For example, the original query to a DNS server only contains the single spoofed IP address, but the query response includes many IP addresses for the resolved domain. Therefore the bandwidth required to respond is significantly larger than the original query – the reflector produces an asymmetrical, amplified response consuming more of the victim’s bandwidth.
By using a botnet to flood multiple different reflectors at the same time, the DDoS attack can significantly increase in size while also helping to hide the original attacker’s identity. Often DDoS attacks increase the volume through amplification taking advantage of multiple application protocols (DNS, NTP, SNMP, etc.) simultaneously.
These application layer protocols use the connectionless UDP protocol to handle transmission instead of the connection-oriented TCP. This removes the need for a 3-way handshake between attacker, reflector, and victim, preventing amplification.
Content Filtering Devices Enable 65x Amplification
That is until recently. First investigated in August 2021, a new DDoS attack vector targeting TCP middleboxes for reflection is beginning to find use.
Middleboxes are network devices performing content filtering, inspecting packet streams between online devices. Hackers have found a way to target vulnerable middleboxes and get around the 3-way handshake used by TCP, making the device churn out a larger response amplifying the attack.
Typically in DDoS amplification, the attacker sends a packet to the reflector containing the SYN (Synchronize) bit set and a spoofed IP address of the target. The reflector responds by sending a packet to the victim with both SYN and ACK (Acknowledge) bit sets. However, without a 3-way handshake, TCP services discard the SYN+ACK packet, and no amplification is possible.
The new exploit is a resource exhaustion attack. Cybercriminals now have a way of directing SYN packets at a TCP application causing it to respond with numerous SYN+ACK packets. The TCP session remains open, waiting for the three-way handshake to be initialized. With TCP sessions stuck in a half-open state, the targeted system consumes more resources.
Worryingly, analysts have observed SYN packets containing a 33-byte payload produce a massive 2,156 byte response, an amplification level of over 65x.
Estimates suggest there are hundreds of thousands of vulnerable middlebox systems potentially exploitable for TCP reflection. The achievable amplification rate could exceed even the most threatening UDP-based attack vectors. DDoS amplification through content filtering could have serious consequences, leading to new, more limiting attacks.
Already attacks with reflection using TCP middleboxes have targeted banking, web-hosts, gaming, media, and travel companies. Thankfully, the attacks seem relatively small for now, with the largest only reaching 11 Gbps. However, with time cybercriminals can fine-tune this technique to find optimal reflection patterns and deliver damaging DDoS attacks.
Protecting Against DDoS Threats
To match this new DDoS amplification threat, organizations need to:
- Be wary of all SYN floods that have a length greater than 0 bytes.
- Define new firewall rules based on SYN packet length.
- Implement modules for antispoofing and out-of-state mitigation.
- Add SYN challenges that sabotage the handshake, preventing bogus requests and data reaching apps and servers.
In general, to operate online services in 2022 requires some form of anti-DDoS protection. This could be through border gateway protocol routing or DNS redirection to first send traffic through a DDoS protection network.
Time Will Tell
While middlebox reflection and using content filtering to enable DDoS amplification are new, SYN floods have been around for years. Therefore, we have some inspiration to help mitigation efforts keep up with the threat.
Time will tell how big of a menace this new DDoS amplification strategy will be. Current TCP reflection attacks are limited in size, but threat analysts expect it won’t be long until we see the real consequences. So organizations need to make plans now for how to mitigate its effect.